Total
1560 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-37577 | 2026-04-15 | 6.8 Medium | ||
| Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol in Bluetooth Core Specifications 2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflection of a crafted public key with the same X coordinate as the offered public key and by reflection of the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. This is a related issue to CVE-2020-26558. | ||||
| CVE-2018-25129 | 2026-04-15 | 7.5 High | ||
| SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like Get_Permissions_From_DB.php and Ac10_ReadSortCard. | ||||
| CVE-2024-8988 | 2026-04-15 | 5.3 Medium | ||
| The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information. | ||||
| CVE-2024-24312 | 2026-04-15 | 7.5 High | ||
| SQL injection vulnerability in Vaales Technologies V_QRS v.2024-01-17 allows a remote attacker to obtain sensitive information via the Models/UserModel.php component. | ||||
| CVE-2024-21981 | 1 Amd | 3 Athlon, Epyc, Ryzen | 2026-04-15 | 5.7 Medium |
| Improper key usage control in AMD Secure Processor (ASP) may allow an attacker with local access who has gained arbitrary code execution privilege in ASP to extract ASP cryptographic keys, potentially resulting in loss of confidentiality and integrity. | ||||
| CVE-2024-33818 | 1 Globitel | 1 Speechlog | 2026-04-15 | 7.5 High |
| Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter. | ||||
| CVE-2024-45032 | 1 Siemens | 2 Industrial Edge Management Pro, Industrial Edge Management Virtual | 2026-04-15 | 10 Critical |
| A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validate the device tokens. This could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system. | ||||
| CVE-2025-10024 | 1 Exert | 1 Education Management System | 2026-04-15 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection.This issue affects Education Management System: through 23.09.2025. | ||||
| CVE-2023-49112 | 1 Kiuwan | 1 Sast | 2026-04-15 | 6.5 Medium |
| Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even though they have not been granted the necessary rights to do so. This issue affects Kiuwan SAST: <master.1808.p685.q13371 | ||||
| CVE-2024-10782 | 2026-04-15 | 4.3 Medium | ||
| The Theme Builder For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | ||||
| CVE-2025-34293 | 1 Miles33 | 1 Gn4 Publishing System | 2026-04-15 | N/A |
| GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account. | ||||
| CVE-2025-2271 | 2026-04-15 | 7.7 High | ||
| A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference (IDOR) vulnerability in the Issuetrak audit component. The vulnerability enables unauthorized access to sensitive information, including user details, network and hardware information, installed programs, running processes, drives, and printers. Due to improper access controls, an attacker can retrieve audit data belonging to other users, potentially leading to unauthorized data exposure, privacy violations, and security risks. | ||||
| CVE-2025-4040 | 2026-04-15 | 7.1 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Turpak Automatic Station Monitoring System allows Privilege Escalation.This issue affects Automatic Station Monitoring System: before 5.0.6.51. | ||||
| CVE-2024-4843 | 2026-04-15 | 4.3 Medium | ||
| ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege. | ||||
| CVE-2025-8463 | 2026-04-15 | 5.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing.This issue affects SecHard: before 3.6.2-20250805. | ||||
| CVE-2026-24991 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a through <= 3.4.0. | ||||
| CVE-2025-59687 | 1 Impqtr | 1 Aurora | 2026-04-15 | 4.3 Medium |
| IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization. | ||||
| CVE-2025-8532 | 1 Bimser | 1 Eba Document And Workflow Management System | 2026-04-15 | 6.4 Medium |
| Authorization Bypass Through User-Controlled Key, Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows Forceful Browsing.This issue affects eBA Document and Workflow Management System: from 6.7.164 before 6.7.166. | ||||
| CVE-2024-13063 | 1 Akinsoft | 1 Myrezzta | 2026-04-15 | 6.8 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft MyRezzta allows Forceful Browsing.This issue affects MyRezzta: from s2.02.02 before v2.05.01. | ||||
| CVE-2025-68997 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.43. | ||||